I’m in favor of as much auth. method as possible so that it would be a no-brainer for the users: whatever kind of external SSO ensures that the bar is lowered to participate on discussions.
Assuming that end-user is responsible for the choice around their data and usage pattern.
A few points:
-
Not sure about the state of “sending requests to external providers when opening the login windows”: we might want to double check exhaustively. For GitHub, everything is stored on Discourse servers, but what about Facebook, Linkedin, etc. (Thinking about the case where a request is made for the image of the log-in button to external server, allowing to trace user back even if no account or not logged-in). WDYT?
-
Might be obvious, but keeping access in read-only (e.g. without requiring authentication) to the forum is really important for me, as I don’t see why reading a subject should make mandatory auth. I understand that Discourse had this option enabled by default (“ala Medium: after 3-4 read topics, a popup asking for auth appears”) but it was disabled by one of you: that’s a great thing!
- Of course, posting to a forum should require authentication though, to ensure some kind of moderation apply when expressing (Code of Conduct accepted, GDPR, etc.)
-
I wasn’t able to reproduce any error while using Github SSO (macOS Intel, Firefox latest, uBlock enabled with default configuration): it’s important that we identify the issue or it will be shadowe and could cause frustration to end users: can the ones of you affected by the mentionned issue describe the reproduction?
- It seems like you identified that it’s when 2FA is enforced on Discourse’s side to a group (Staff) which forbids use of external authentication? If it is the case, I’m in favor of keeping SSOs, and switch the discussion to another dedicated topic around staff management (as it might induces moderators)
Btw, thanks y’all for discussing this topic, it’s really heart-warming to see such activity, keep the good work!